Hav­ing a Lin­ux sys­tem auto­mat­i­cal­ly log in to a graph­i­cal pro­gram on boot is sur­pris­ing­ly dif­fi­cult. Com­mon solu­tions involve set­ting up a dis­play man­ag­er with cus­tom con­fig­u­ra­tion and it gets messier from there. For­tu­nate­ly there is a bet­ter way, xlo­gin uses sys­temd to launch X for a giv­en user.

The devel­op­er describes it as a stop-gap workaround but after four years it is still a lead­ing solu­tion. xlo­gin con­sists of two sys­temd ser­vices, a launch­ing wrap­per script, and a xini­trc con­fig tweak. If it is a hack it is a very ele­gant one, the four files togeth­er come to just forty lines (31 if you remove com­ments and white­space).

Unfor­tu­nate­ly it’s not pack­aged for Debian, while shov­el­ling some files on to the disk works as a short term mea­sure in the long run I real­ly need it to be pack­aged, it great­ly helps the image gen­er­a­tion and allows long term main­te­nance. So I pre­pared a quick ugly pack­age. It cur­rent­ly has some issues that like bad source pack­age gen­er­a­tion don’t impact me but need to be fixed, I’ll clean it up and look and sub­mit­ting it in a few weeks.

Package Managing

To feed the pack­ages in to mul­ti­strap requires a Debian repos­i­to­ry. Fun­da­men­tal­ly this is a http or ftp direc­to­ry tree with a few spe­cial­ly for­mat­ted files. There are a pletho­ra of tools to assist cre­at­ing this but as is com­mon when there are lots of tools doing the same job, none of them stand out as been con­sid­er­ably bet­ter than the oth­ers. I chose to use repre­pro, it isn’t easy to set up but blind­ly fol­low­ing online guides worked for me.

Keyring Managing

Debian signs all of it’s pack­ages as a basic assur­ance mea­sure. The Debian tools take some con­vinc­ing to run unsigned pack­ages so it is eas­i­er when build­ing your own pack­ages to sign them too.

Sign­ing is the easy half. You gen­er­ate a gpg key, feed it to repre­pro and it signs all the pack­ages it deliv­ers.

Where things get a bit more com­plex is get­ting the pub­lic key in to the client com­put­er so that it can ver­i­fy the key. The quick solu­tion is to push the key in to apt-key when gen­er­at­ing the image. This works but is dif­fi­cult to main­tain.

The more com­plete solu­tion, which Debian uses for it’s own pack­ages, is to cre­ate a keyring con­tain­ing all the valid keys. This keyring is then pack­aged and dis­trib­uted through the pack­age man­age­ment sys­tem. Struc­tur­ing it this ways allows keys to be added or revoked as required by push­ing a pack­age update. Dou­bling down the com­plex­i­ty, man­ag­ing the keyring pack­age is a clus­ter of pro­grams called jetring which pro­vide tra­ca­bil­i­ty of changes.

I built my own keyring pack­age, lod­labs-keyring based on debian-archive-keyring which I dis­trib­ute through my devel­op­ment pack­age man­ag­er. With this set­up I can feed mul­ti­strap cus­tom pack­ages at will.

A quick note, using this tech­nique mul­ti­strap must be able to acquire the keyring pack­age itself. So the image gen­er­at­ing machine must tie apt in to the pri­vate repos­i­to­ry and have the keyring installed.

Creating your own keyring package

For a very small sim­ple pack­age cre­at­ing your own keyring is a bit of work.

For starters, you need the basics:

apt-get build-depends debian-archive-keyring
apt-get source debian-archive-keyring

The debian-archive-keyring has a few direc­to­ries:

  • keyrings:
    This con­tains the gen­er­at­ed keyrings, the end prod­ucts. They are cre­at­ed by the Make­file.
  • active-keys, removed-keys, team-mem­bers:
    Each of these direc­to­ries con­tains a col­lec­tion of keys.
    The keys are of a cus­tom file for­mat, gen­er­at­ed by jetring from a gpg key.
    Instruc­tions for cre­at­ing a key are in README.maintainer.
    There is also an index file with a check­sum for each key, this can be gen­er­at­ed by jetring-accept.
    Final­ly there is an index.gpg file which signs the index, this can be gen­er­at­ed by jetring-signin­dex.
    • active-keys:
      This keyring is used to ver­i­fy the archive pack­ages and is dis­trib­uted in the gen­er­at­ed pack­age.
    • removed-keys:
      This keyring is used to revoke pre­vi­ous active keys and is dis­trib­uted in the gen­er­at­ed pack­age.
    • team-mem­bers:
      This keyring is used by the pack­age gen­er­a­tion to ver­i­fy the active and removed keyrings. It is not dis­trib­uted out­side the pack­age.

To pro­ceed you are going to need two gpg keys, you con prob­a­bly use the same key twice but it wouldn’t be advis­able. I gen­er­at­ed two dif­fer­ent sub­keys fol­low­ing the instruc­tions here. The active sub­key is the one used to set up repre­pro and sign your pack­ages. The team sub­key is your per­son­al sign­ing key.

Push the per­son­al key into the team key­chain, then the repre­pro key into the active key­chain by fol­low­ing the instruc­tions in debian-archive-keyring’s README.maintainer.

Once your keys are in the pack­ag­ing key direc­to­ries, delete all the oth­er keys in active-keys and team-mem­bers. Edit the index files so that only your key entry remains. Then resign the index by run­ning jetring-signin­dex over each fold­er.

You can also delete all the keys in removed-keys, cre­ate an emp­ty index file and sign it with jetring-signin­dex.

Now if you run ‘make‘ it should gen­er­ate new keyring files only con­tain­ing your keys.

To com­plete the pack­age it will need to be renamed. Edit all the debian files, chang­ing every instance of debian-archive-keyring to your-keyring. The changel­og, copy­right and con­trol files will all need to have por­tions par­tial­ly rewrit­ten. The debian-archive-keyring script files in the debian fold­er will need to be renamed and the debian-archive-keyring instances in the Make­file will all need to be changed.

The gen­er­at­ed keyring files must be signed, run
gpg --armor --detach-sign keyrings/your-removed-keys.gpg

Final­ly invok­ing ‘debuild -b -uc -us‘ should spit out your-keyring_<year>.<month>_all.deb.